Using a sledge hammer
in [Device Drivers]
|
Prev: Control Printer !!!
Next: Bluetooth DDI
From: usfinecats on 20 Mar 2006 14:29 PsSetLoadImageNotifyRoutine has a limit of 8 for call back notifications. This seems to be a pretty heavy handed method for finding out the name of a process when it is loaded. In general, given a processid how else can I find out the name of its image. processid? given a processid, find out its IMAGE_INFO ? -- Gak - Finecats
From: usfinecats on 23 Mar 2006 12:27 Does anyone monitor this news group, my question has gone unanswered for several days now! -- Gak - Finecats "usfinecats" wrote: > > > PsSetLoadImageNotifyRoutine has a limit of 8 for call back notifications. > This seems to be a pretty heavy handed method for finding out the name of a > process when it is loaded. > > In general, given a processid how else can I find out the name of its image. > processid? > > given a processid, find out its IMAGE_INFO ? > -- > Gak - > Finecats
From: Don Burn on 23 Mar 2006 12:37 Call to user space, and use EnumProcessModules. This is the sure way to do this, and works for older systems. Just understand that it will not work at the time of PsSetCreateProcessNotify, since the process is not in the object table yet. -- Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting Remove StopSpam from the email to reply "usfinecats" <usfinecats(a)nospam.nospam> wrote in message news:0BE1D2DA-84AB-4FF7-ADD1-1518EA942B45(a)microsoft.com... > > > PsSetLoadImageNotifyRoutine has a limit of 8 for call back notifications. > This seems to be a pretty heavy handed method for finding out the name of > a > process when it is loaded. > > In general, given a processid how else can I find out the name of its > image. > processid? > > given a processid, find out its IMAGE_INFO ? > -- > Gak - > Finecats
From: Sergei Zhirikov on 23 Mar 2006 13:34 "Don Burn" <burn(a)stopspam.acm.org> wrote in message news:eVaHyBqTGHA.4308(a)TK2MSFTNGP10.phx.gbl... > ... it will not work at > the time of PsSetCreateProcessNotify, since the process is not in the object > table yet. > Don, could you please elaborate a bit? What exactly does that imply? I've been playing with PsSetCreateProcessNotifyRoutine and inside the callback I've been able to access the new process by using PsLookupProcessByProcessId, ObOpenObjectByPointer, ZwQueryInformationProcess/ZwSetInformationProcess. Also ZwQuerySystemInformation(SystemProcessesAndThreadsInformation) returs data block that contains the new process. Could that all have worked if the process wasn't in the objct table? I agree that EnumProcessModules in user mode won't work, but IMO the reason is that there are no modules loaded yet. Wouldn't you agree? -- Sergei.
From: Don Burn on 23 Mar 2006 13:49
Sergei, The things you are doing work, but the object is not truly in the general object table and has not had access granted to it. I have found out the hardway that this can cause problems if you are doing things like trying to terminate the process. -- Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting Remove StopSpam from the email to reply "Sergei Zhirikov" <sfzhi(a)yahoo.com> wrote in message news:e3i5rhqTGHA.5108(a)TK2MSFTNGP09.phx.gbl... > > "Don Burn" <burn(a)stopspam.acm.org> wrote in message > news:eVaHyBqTGHA.4308(a)TK2MSFTNGP10.phx.gbl... >> ... it will not work at >> the time of PsSetCreateProcessNotify, since the process is not in the > object >> table yet. >> > > Don, could you please elaborate a bit? What exactly does that imply? > > I've been playing with PsSetCreateProcessNotifyRoutine and inside the > callback > I've been able to access the new process by using > PsLookupProcessByProcessId, > ObOpenObjectByPointer, ZwQueryInformationProcess/ZwSetInformationProcess. > Also ZwQuerySystemInformation(SystemProcessesAndThreadsInformation) > returs data block that contains the new process. Could that all have > worked > if the > process wasn't in the objct table? > I agree that EnumProcessModules in user mode won't work, but IMO the > reason > is that there are no modules loaded yet. Wouldn't you agree? > -- > Sergei. > > |